Most people use either an app, an online platform, or a small hardware device as a wallet to store their cryptocurrency safely. The exchanges through which cryptocurrency changes hands, though, and other high stakes operations need something more like a massive digital bank vault. At the Black Hat security conference on Thursday, researchers detailed potential weaknesses in these specially secured wallet schemes, including some that affected real exchanges that have now been fixed.
The attacks aren't the digital equivalent of jackhammering a weak point on a safe or blowing up a lock. They're more like opening an old-timey bank vault with six keys that all have to turn at the same time. Breaking cryptocurrency private keys into smaller chunks similarly means an attacker has to cobble them together first to steal funds. But unlike distributing physical keys, the cryptographic mechanisms that underly multiparty key management are complex and difficult to implement correctly. Mistakes could be costly.
"These organizations are managing a lot of money, so they have quite high privacy and security requirements," says Jean-Philippe Aumasson, cofounder of the cryptocurrency exchange technology firm Taurus Group and vice president at Kudelski Security. "They need a way to split the cryptocurrency private keys into different components, different shares, so no party ever knows the full key and there isn't a single point of failure. But we found some flaws in how these schemes are set up that are not just theoretical. They could really have been carried out by a malicious party."
For the work, Aumasson, a cryptographer, validated and refined vulnerability discoveries made by Omer Shlomovits, cofounder of the mobile wallet maker ZenGo. The findings break down into three categories of attacks.
The first would require an insider at a cryptocurrency exchange or other financial institution exploiting a vulnerability in an open-source library produced by a prominent cryptocurrency exchange that the researchers declined to name. The attack takes advantage of a flaw in the library's mechanism for refreshing, or rotating, keys. In distributed key schemes, you don't want the secret key or its components to stay the same forever, because over time an attacker could slowly compromise each part and eventually reassemble it. But in the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh and then manipulate the process so some components of the key actually changed and others stayed the same. While you couldn't merge chunks of an old and new key, an attacker could essentially cause a denial of service, permanently locking the exchange out of its own funds.
Most distributed key schemes are set up so only a predetermined majority of the chunks of a key need to be present to authorize transactions. That way the key isn't lost entirely if one portion is accidentally eliminated or destroyed. The researchers point out that an attacker could use this fact to extort money from a target, letting enough portions of the key refresh—including the one they control—that they can contribute their portion and restore access only if the victim pays a price.
The researchers disclosed the flaw to the library developer a week after the code went live, so it's unlikely that any exchanges had time to incorporate the library into their systems. But because it was in an open-source library, it could have found its way into numerous financial institutions.
In the second scenario, an attacker would focus on the relationship between an exchange and its customers. Another flaw in the key rotation process, in which it fails to validate all of the statements the two parties make to each other, could allow an exchange with malicious motivations to slowly extract the private keys of its users over multiple key refreshes. From there a rogue exchange could initiate transactions to steal cryptocurrency from its customers. This could also be carried out quietly by an attacker who first compromises an exchange. The flaw is another open-source library, this time from an unnamed key management firm. The firm does not use the library in its own offerings, but the vulnerability could have been incorporated elsewhere.
The third attack begins when all the trusted parties originally derive their portions of the key. As part of this process, each party must generate a couple of random numbers that will be publicly verified and tested for use later in "zero knowledge proofs," when the different key holders verify that they have the right key information without revealing the content. This time, the researchers found that a protocol in an open-source library developed by the cryptocurrency exchange Binance didn't actually check these random values. As a result, a malicious party in the key generation could send specially constructed messages to everyone else that would essentially choose and assign all of these values, allowing the attacker to later use this unvalidated information to extract everyone's portion of the secret key.
"This is the one that is instantly fatal," says KZen Networks' Shlomovits. "For the attack here you would craft a specific message, send it at the time of key generation, wait until the first signature, and then you're done. You would have enough information to learn all the other keys."
Binance fixed the vulnerability in March and pointed out that it's only present during initial key generation. It does not introduce a lasting vulnerability—unless, of course, your organization's initial key generation included a malicious party from the start.
"We recommend that users upgrade to this new version of 'tss-lib' as soon as possible," the company said in a March security bulletin. "Signing groups should only be re-created if any parties were untrusted or potentially malicious at the time of keygen."
The attacks Shlomovits and Aumasson identified would not be trivial for an attacker to carry out. They all involve a somewhat privileged position within an exchange, whether taking control altogether or controlling one portion of a distributed key. Beyond identifying individual vulnerabilities, though, the two say that the goal of the research was to call attention to how easy it is to make mistakes while implementing multiparty distributed keys for cryptocurrency exchanges. And how impactful those mistakes can be when they're in open-source libraries that can proliferate widely. Using distributed key schemes is an important defense against takeover, but the cryptography is complicated enough that the development process can't be taken lightly.
"It takes a lot of time, a lot of expertise, and everyone makes mistakes," Shlomovits says. "Literally everyone, because it’s really hard to do this translation from paper to an actual production system that holds funds."
- There’s no such thing as family secrets in the age of 23andMe
- My friend was struck by ALS. To fight back, he built a movement
- How Taiwan’s unlikely digital minister hacked the pandemic
- Linkin Park T-shirts are all the rage in China
- How two-factor authentication keeps your accounts safe
- 🎙️ Listen to Get WIRED, our new podcast about how the future is realized. Catch the latest episodes and subscribe to the 📩 newsletter to keep up with all our shows
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
